b'      Department of Homeland Security\n\n\n\n\n      Information Technology Management Letter for the\n           FY 2012 Department of Homeland Security\n                    Financial Statement Audit\n\n\n\n\nOIG-13-58                                       April 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0\n                                       April\xc2\xa04,\xc2\xa02013\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\t\xc2\xa0\xc2\xa0           Richard\xc2\xa0Spires\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0\n                             Peggy\xc2\xa0Sherry\xc2\xa0\n                             Chief\xc2\xa0Financial\xc2\xa0Officer\xc2\xa0\n\xc2\xa0\nFROM:\t\xc2\xa0                      Frank\xc2\xa0Deffer\xc2\xa0\n                             Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\t\xc2\xa0                   Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0FY\xc2\xa0\n                             2012\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0action\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0\nfor\xc2\xa0the\xc2\xa0FY\xc2\xa02012\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0\xc2\xa0The\xc2\xa0\nindependent\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0performed\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0\nHomeland\xc2\xa0Security\xc2\xa0(DHS)\xc2\xa0financial\xc2\xa0statements\xc2\xa0as\xc2\xa0of\xc2\xa0September\xc2\xa030,\xc2\xa02012,\xc2\xa0and\xc2\xa0prepared\xc2\xa0\nthis\xc2\xa0information\xc2\xa0technology\xc2\xa0(IT)\xc2\xa0management\xc2\xa0letter.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nKPMG\xc2\xa0is\xc2\xa0responsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0IT\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0December\xc2\xa020,\xc2\xa02012,\xc2\xa0\nand\xc2\xa0the\xc2\xa0conclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\xc2\xa0We\xc2\xa0do\xc2\xa0not\xc2\xa0express\xc2\xa0an\xc2\xa0opinion\xc2\xa0on\xc2\xa0DHS\xe2\x80\x99\xc2\xa0financial\xc2\xa0\nstatements\xc2\xa0or\xc2\xa0internal\xc2\xa0controls\xc2\xa0or\xc2\xa0conclusions\xc2\xa0on\xc2\xa0compliance\xc2\xa0with\xc2\xa0laws\xc2\xa0and\xc2\xa0regulations.\xc2\xa0\xc2\xa0\nThe\xc2\xa0DHS\xc2\xa0management\xc2\xa0concurred\xc2\xa0with\xc2\xa0all\xc2\xa0recommendations.\xc2\xa0\n\xc2\xa0\nConsistent\xc2\xa0with\xc2\xa0our\xc2\xa0responsibility\xc2\xa0under\xc2\xa0the\xc2\xa0Inspector\xc2\xa0General\xc2\xa0Act,\xc2\xa0we\xc2\xa0are\xc2\xa0providing\xc2\xa0\ncopies\xc2\xa0of\xc2\xa0our\xc2\xa0report\xc2\xa0to\xc2\xa0appropriate\xc2\xa0congressional\xc2\xa0committees\xc2\xa0with\xc2\xa0oversight\xc2\xa0and\xc2\xa0\nappropriation\xc2\xa0responsibility\xc2\xa0over\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security.\xc2\xa0\xc2\xa0We\xc2\xa0will\xc2\xa0post\xc2\xa0\nthe\xc2\xa0report\xc2\xa0on\xc2\xa0our\xc2\xa0website\xc2\xa0for\xc2\xa0public\xc2\xa0dissemination.\xc2\xa0\xc2\xa0\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\xc2\xa0                             \xc2\xa0\n\x0c                               KPMG LLP\n                               Suite 12000\n                               1801 K Street, NW\n                               Washington, DC 20006\n\n\n\n\nApril 2, 2013\n\nActing Inspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and Chief Financial Officer\nU.S. Department of Homeland Security\n\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2012 and the related statements of net cost, changes in net\nposition and custodial activity, and combined statement of budgetary resources for the year then\nended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2012 financial statements\xe2\x80\x9d). The objective of\nour audit was to express an opinion on the fair presentation of these financial statements. We\nwere also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nFY 2012 financial statements, based on the criteria established in Office of Management and\nBudget, Circular No. A-123, Management\xe2\x80\x99s Responsibility for Internal Control, Appendix A.\nOur Independent Auditors\xe2\x80\x99 Report issued on November 14, 2012, describes a limitation on the\nscope of our audit that prevented us from performing all procedures necessary to express an\nunqualified opinion on the DHS\xe2\x80\x99 FY 2012 financial statements and internal control over\nfinancial reporting. In addition, the FY 2012 DHS Secretary\xe2\x80\x99s Assurance Statement states that\nthe Department was able to provide qualified assurance that internal control over financial\nreporting was operating effectively at September 30, 2012.\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2012, included financial systems general Information Technology (IT) control\n(GITC) deficiencies which we believe contribute to a DHS-level significant deficiency that is\nconsidered a material weakness. IT control deficiencies were identified in areas of access\ncontrols, configuration management, security management, contingency planning, and\nsegregation of duties. We also noted that in some cases, financial system functionality is\ninhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications\ncontrols supporting financial data processing and reporting. These matters are described in the\nGeneral IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the\nappropriate members of management, or communicated through a Notice of Finding and\nRecommendation (NFR). We aim to use our knowledge of DHS\xe2\x80\x99 organization gained during\nour audit engagement to make comments and suggestions that we hope will be useful to you.\nWe have not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided\na description of key DHS financial systems within the scope of the FY 2012 DHS financial\nstatement audit engagement in Appendix A; a description of each internal control finding in\nAppendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls (comments not related to IT)\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0chave been presented in a separate letter to the Office of Inspector General (OIG) and the DHS\nChief Financial Officer (CFO).\nWe would be pleased to discuss these comments and recommendations with you at any time.\nThis report is intended for the information and use of the DHS\xe2\x80\x99 management, the DHS Office of\nInspector General, the U.S. Office of Management and Budget, the U.S. Congress, and the\nGovernment Accountability Office, and is not intended to be and should not be used by anyone\nother than these specified parties.\n\n\nVery truly yours,\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2012\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                       TABLE OF CONTENTS\n\n                                                                                            Page\n\nObjective, Scope, and Approach                                                               1\n\nSummary of Findings and Recommendations                                                      2\n\nGeneral IT Control Findings and Recommendations                                              3\n\n   Findings                                                                                  3\n\n       Related to IT Financial Systems Controls                                              3\n\n           Access Controls                                                                   3\n\n           Configuration Management                                                          3\n\n           Security Management                                                               3\n\n           Contingency Planning                                                              4\n\n           Segregation of Duties                                                             4\n\n       Related to Financial System Functionality                                             4\n\n   Recommendations                                                                           5\n\n\n                                           APPENDICES\n\nAppendix                                          Subject                                   Page\n\n           Description of Key Financial Systems and IT Infrastructure within the Scope of\n   A                                                                                         6\n           the FY 2012 DHS Financial Statement Audit\n\n   B       FY 2012 Notices of IT Findings and Recommendations at DHS                        15\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison \n\n   C                                                                                        28\n\n           to Current Year Notices of Findings and Recommendations at DHS\n\n\n\n\n                      Information Technology Management Letter for the \n\n              FY 2012 Department of Homeland Security Financial Statement Audit\n\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n                            OBJECTIVE, SCOPE, AND APPROACH\n\nDuring our engagement to perform an integrated audit of DHS, we evaluated the design and effectiveness\nof general information technology controls (GITCs) of DHS\xe2\x80\x99 financial processing environment and\nrelated IT infrastructure as necessary to support the engagement. The Federal Information System\nControls Audit Manual (FISCAM), issued by the GAO, formed the basis of our audit as it relates to GITC\nassessments at DHS.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating GITCs and the IT environment of a Federal agency.\nFISCAM defines the following five control functions to be essential to the effective operation of GITCs\nand the IT environment.\n\n   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n   Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provides reasonable assurance\n   that systems are configured and operating securely and as intended.\n   Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we also performed technical security testing for key network\nand system devices at DHS. The technical security testing was performed both over the Internet and from\nwithin select DHS facilities, and focused on test, development, and production devices that directly\nsupport DHS\xe2\x80\x99 financial processing and key general support systems. Limited social engineering and\nafter-hours physical security testing was also included in the scope of the technical security testing at\ncertain DHS components.\n\nIn addition, we performed testing over selected key application controls to assess the controls that support\nDHS financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll. Specific results\nof the application controls test work is provided in separate For Official Use Only IT management letters\nprovided to component management and the OIG.\n\nIn recent years, we have noted that the DHS\xe2\x80\x99 financial system functionality may be inhibiting the\nagency\xe2\x80\x99s ability to implement and maintain internal controls, notably IT applications controls supporting\nfinancial data processing and reporting at some components. At most components, the financial systems\nhave not been substantially updated since being inherited from legacy agencies several years ago.\nTherefore, in FY 2012, we continued to evaluate and consider the impact of financial system functionality\nover financial reporting.\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 1\n\n\x0c                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring our FY 2012 assessment of IT general and application controls, we noted that the DHS\ncomponents made progress in the remediation of IT findings we reported in FY 2011. As a result, we\nclosed approximately 68 (47 percent) of our prior year IT findings. However, we identified 103 new\nfindings, which is a significant increase compared to the 41 new findings in FY 2011. In FY 2012, we\nidentified approximately 180 total findings, of which approximately 43 percent are repeated from last\nyear. Approximately 41 percent of our repeat findings were for IT deficiencies that management\nrepresented were corrected during FY 2012. The new findings in FY 2012 resulted primarily from\nadditional IT systems and business processes within the scope of our audit this year, and were noted at all\nDHS components. Customs and Border Protection (CBP) and the Federal Emergency Management\nAgency (FEMA) had the greatest number of new findings. We also considered the effects of financial\nsystem functionality when testing internal controls and evaluating findings. Many key DHS financial\nsystems are not compliant with Federal Financial Management Improvement Act of 1996 (FFMIA) and\nOMB Circular Number A-127, Financial Management Systems, as revised. DHS financial system\nfunctionality limitations add substantially to the Department\xe2\x80\x99s challenges of addressing systemic internal\ncontrol weaknesses and limit the Department\xe2\x80\x99s ability to leverage IT systems to effectively and efficiently\nprocess and report financial data.\n\nThe most significant weaknesses from a financial statement audit perspective continued to include:\n\n    1.\t excessive unauthorized access to key DHS financial applications, resources, and facilities;\n    2.\t configuration management controls that are not fully defined, followed, or effective;\n    3.\t security management deficiencies in the area of the certification and accreditation process and an\n        ineffective program to enforce role-based security training and staff background investigations;\n    4.\t contingency planning that lacked current, tested, contingency plans developed to protect DHS\n        resources and financial applications; and\n    5.\t lack of proper segregation of duties for roles and responsibilities within financial systems.\n\nThe conditions supporting our findings collectively limited DHS\xe2\x80\x99 ability to ensure that critical financial\nand operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99 financial\nreporting and its operation and we consider them to collectively represent a material weakness for DHS\nunder standards established by the American Institute of Certified Public Accountants (AICPA) and the\nGAO. The IT findings were combined into one material weakness regarding IT Controls and Financial\nSystem Functionality for the FY 2012 audit of the DHS consolidated financial statements.\n\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 2\n\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2012\n\n            GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nIn FY 2012, a number of IT and financial system functionality deficiencies were identified at DHS.\nApproximately 180 findings were identified of which approximately 43 percent are repeated from last\nyear. The primary (circle) bullets listed below each FISCAM heading are a cross-representation of the\nnature of IT general control deficiencies identified throughout the Department\xe2\x80\x99s components. The\nsecondary (dash) bullets represent single or multiple occurrence findings in one or more components.\n\nFindings:\n\nOur findings related to GITCs and financial systems functionality follow:\n\nRelated to IT Financial Systems Controls\n\n1. Access Controls:\n\n       Deficiencies in management of application and/or database accounts, network, and remote user\n       accounts.\n       Ineffective safeguards over logical and physical access to sensitive facilities and resources.\n       Lack of generation, review, and analysis of system audit logs and adherence to DHS\n       requirements.\n       Excessive access of authorized personnel to sensitive areas containing key financial systems, and\n       lack of proper enforcement of data center access controls.\n\n2. Configuration Management\n\n       Lack of documented policies and procedures.\n       Lack of sufficiently documented script management test plans in accordance with minimum DHS\n       requirements.\n       Security patch management and configuration deficiencies identified during the vulnerability\n       assessment on the platforms supporting the key financial applications and general support\n       systems.\n       Lack of maintained evidence to support authorized modifications to key financial systems.\n       Internal requirements to conduct Functional Configuration Audits and Physical Configuration\n       Audits were not followed at one component.\n\n3. Security Management:\n\n       Systems certification and accreditation were not completed and documented.\n       IT Security personnel lack mandatory role-based training or compliance was not documented and\n       monitored, and computer security awareness training was not monitored.\n       Background investigations of Federal employees and contractors employed to operate, manage\n       and provide security over IT systems were not being properly conducted, nor consistently tracked\n       and monitored.\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 3\n\n\x0c                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2012\n\n4. Contingency Planning:\n\n        Service continuity plans were not tested nor updated to reflect the current environment, and an\n        alternate processing site has not been established for high risk systems.\n        Authorized access to backup media was not periodically reviewed and updated; at one component\n        procedures to periodically test backups was not implemented.\n\n5. Segregation of Duties:\n\n        Lack of evidence to show that least privilege and segregation of duties controls exist, including\n        policies and procedures to define conflicting duties and access rights.\n\nThese control findings, including other significant deficiencies and criteria are described in greater detail\nin separate For Official Use Only letters provided to DHS management.\n\nRelated to Financial System Functionality\n\nCoast Guard (some conditions impact the Transportation Security Administration (TSA) as a user of\nCoast Guard\xe2\x80\x99s IT accounting systems):\n\n        The core financial system configuration management process relies on an IT script process as a\n        solution primarily to compensate for system functionality and data quality issues.\n        The component is unable to routinely query its various general ledgers to obtain a complete\n        population of financial transactions, and consequently must create many manual custom queries\n        that delay financial processing and reporting processes.\n        A key financial system is limited in processing overhead cost data and depreciation expenses in\n        support of the property, plant and equipment financial statement line item.\n        Production versions of financial systems are outdated and do not provide the necessary core\n        functional capabilities (e.g., general ledger capabilities).\n        The budgetary module of the core financial system is not activated. As a result, key attributes\n        (e.g., budget fiscal year) are missing and potential automated budgetary entries (e.g., upward\n        adjustments) are not used. This has created the need for various manual workarounds and non-\n        standard adjustments (i.e., topsides) to be implemented.\n        Financial systems functionality limitations are preventing the Coast Guard from establishing\n        automated processes and application controls that would improve accuracy, reliability, and\n        facilitate efficient processing of certain financial data such as:\n        -   Receipt of goods and services upon delivery. As a result, the Coast Guard records a manual\n            estimate of potential receipted goods and services at year end in the general ledger;\n        -   Ensuring proper segregation of duties and access rights, such as automating the procurement\n            process to ensure that only individuals who have proper contract authority can approve\n            transactions or setting system access rights within the fixed asset subsidiary ledger;\n        -   Maintaining adequate posting logic transaction codes to ensure that transactions are recorded\n            in accordance with generally accepted accounting principles (GAAP); and\n\n\n\n\n                        Information Technology Management Letter for the \n\n                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                             Page 4\n\n\x0c                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2012\n\n       -   Tracking detailed transactions associated with intragovernmental business and eliminating the\n           need for default codes such as Trading Partner Identification Number that cannot be easily\n           researched.\n\nOther Department Components:\n\nWe noted many cases where financial system functionality is inhibiting DHS\xe2\x80\x99 ability to implement and\nmaintain internal controls, notably IT application controls supporting financial data processing and\nreporting. We noted persistent and pervasive financial system functionality conditions at all of the\nsignificant DHS components in the following general areas:\n\n        Inability of financial systems to process, store, and report financial and performance data to\n        facilitate decision making, safeguarding and management of assets, and prepare financial\n        statements that comply with GAAP.\n        Technical configuration limitations, such as outdated systems that are no longer fully supported\n        by the software vendors, impaired DHS\xe2\x80\x99 ability to fully comply with policy in areas such as IT\n        security controls, notably password management, audit logging, user profile changes, and the\n        restricting of access for off-boarding employees and contractors.\n        System capability limitations prevent or restrict the use of applications controls to replace less\n        reliable, more costly manual controls. Or in some cases, require additional manual controls to\n        compensate for IT security or control weaknesses.\n\nCause/Effect: DHS management recognizes the need to upgrade its financial systems. Until serious legacy\nIT issues are addressed, and updated IT solutions implemented, compensating controls and other complex\nmanual workarounds must support its IT environment and financial reporting. As a result, DHS\xe2\x80\x99\ndifficulty in attesting to a strong control environment, to include effective general IT controls and reliance\non key financial systems, will continue.\n\nThe conditions supporting our findings collectively limit DHS\xe2\x80\x99 ability to process, store, and report\nfinancial data in a manner to ensure accuracy, confidentiality, integrity, and availability. Some of the\nweaknesses may result in material errors in DHS\xe2\x80\x99 financial data that are not detected in a timely manner\nthrough the normal course of business. In addition, because of the presence of IT control and financial\nsystem functionality weaknesses; there is added pressure on mitigating controls to operate effectively.\nBecause mitigating controls are often more manually focused, there is an increased risk of human error\nthat could materially affect the financial statements.\n\nRecommendation: We recommend that the DHS Office of the Chief Information Officer (OCIO), in\ncoordination with the Office of the Chief Financial Officer (OCFO) continue the Financial Systems\nModernization initiative, and make necessary improvements to the Department\xe2\x80\x99s financial management\nsystems and supporting IT security controls. Specific recommendations are provided in separate For\nOfficial Use Only letters provided to DHS management.\n\nManagement Comments: We discussed our report with the DHS CFO and CIO and they have agreed with\nthe findings and recommendations reported herein.\n\n\n\n\n                        Information Technology Management Letter for the \n\n                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                             Page 5\n\n\x0c                                                                             Appendix A\n                         Department of Homeland Security\n                     Information Technology Management Letter\n                                September 30, 2012\n\n\n\n\n                                Appendix A\nDescription of Key Financial Systems and IT Infrastructure within\n    the Scope of the FY 2012 DHS Financial Statement Audit\n\n\n\n\n                Information Technology Management Letter for the \n\n        FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                     Page 6\n\n\x0c                                                                                              Appendix A\n                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2012\n\nBelow is a description of significant financial management systems and supporting IT infrastructure\nincluded in the scope of the DHS FY 2012 financial statement audit.\n\nUnited States Coast Guard (USCG or Coast Guard)\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor the Coast Guard. CAS is hosted at FINCEN in Virginia (VA). The FINCEN is the Coast Guard\xe2\x80\x99s\nprimary data center. CAS interfaces with two other systems located at the FINCEN, the Workflow\nImaging Network System (WINS) and the Financial and Procurement Desktop (FPD).\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the\nCAS system and is located at the FINCEN in VA.\n\nWorkflow Imaging Network System (WINS)\n\nWINS is the document image processing system, which is integrated with an Oracle Developer/2000\nrelational database. WINS allows electronic data and scanned paper documents to be imaged and\nprocessed for data verification, reconciliation and payment. WINS utilizes MarkView software to scan\ndocuments and to view the images of scanned documents and to render images of electronic data\nreceived. WINS is interconnected with the CAS and FPD systems and is located at the FINCEN in VA.\n\nJoint Uniform Military Pay System (JUMPS)\n\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is located\nat the Pay and Personnel Center in Kansas.\n\nDirect Access\n\nDirect Access is the system of record and all functionality, data entry, and processing of payroll events is\nconducted exclusively in Direct Access. Direct Access is maintained by IBM Application On Demand\n(IBM AOD) in the iStructure data center facility in Arizona (AZ) with a hot site located in a Qwest data\ncenter in VA.\n\nGlobal Pay (Direct Access II)\n\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD in the\niStructure data center facility in AZ with a hot site located in a Qwest data center in VA.\n\nShore Asset Management (SAM)\n\nSAM is hosted at the Coast Guard\xe2\x80\x99s OSC in West Virginia. SAM provides core information about the\nUSCG shore facility assets and facility engineering. The application tracks activities and assist in the\nmanagement of the Civil Engineering Program and the Facility Engineering Program. SAM data\n\n\n                        Information Technology Management Letter for the \n\n                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                             Page 7\n\n\x0c                                                                                              Appendix A\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\ncontributes to the shore facility assets full life cycle program management, facility engineering full life\ncycle program management and rationale to adjust the USCG mission needs through planning, budgeting,\nand project funding. SAM also provides real property inventory and management of all shore facilities, in\naddition to the ability to manage and track the facilities engineering equipment and maintenance of that\nequipment.\n\nNaval and Electronics Supply Support System (NESSS)\n\nNESSS is one of four automated information systems that comprise the family of Coast Guard logistics\nsystems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit\nconfiguration, supply and inventory control, procurement, depot-level maintenance and property\naccountability, and a full financial general ledger.\n\nAviation Logistics Management Information System (ALMIS)\n\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft &\nCrew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management\nInformation System (AMMIS), a subcomponent of ALMIS, functions as the inventory management/fiscal\naccounting component of the ALMIS application. The Aircraft Repair & Supply Center Information\nSystems Division in North Carolina hosts the ALMIS application.\n\nCG Treasury Information Executive Repository (CG TIER)\n\nCG TIER is a financial data warehouse containing summarized and consolidated financial data relating\nUSCG operations. It is one of several supporting applications within CAS Suite designed to support the\ncore financial services provided by FINCEN. CG TIER provides monthly submissions to DHS\nConsolidated TIER.\n\nIntegrated Aids to Navigation Information System (IATONIS)\n\nIATONIS is a comprehensive system for managing and reporting on Aids to Navigation and related\nnavigational matters. IATONIS incorporates the Local Notice to Mariners, which is the USCG\xe2\x80\x99s primary\nmeans for disseminating information concerning changes to aids to navigation, menaces to navigation,\nand other timely items of interest to mariners. Additionally, it produces the Light List, the USCG\xe2\x80\x99s\nofficial list of all aids to navigation.\n\nCustoms and Border Protection (CBP)\n\nAutomated Commercial Environment (ACE)\n\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. It is CBP\xe2\x80\x99s plan that this system will replace the Automated Commercial\nSystem (ACS) when ACE is fully implemented. The mission of ACE is to implement a secure,\nintegrated, government-wide system for the electronic collection, use, and dissemination of international\ntrade and transportation data essential to Federal agencies. ACE is being deployed in phases, without a\nfinal, full deployment date due to funding setbacks. As ACE is partially implemented now and processes\na significant amount of revenue for CBP, ACE was included in full scope in the FY 2012 financial\nstatement audit. The ACE system is located in Virginia (VA).\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 8\n\n\x0c                                                                                                Appendix A\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\nAutomated Commercial System (ACS)\n\nACS is a collection of mainframe-based business process systems used to track, control, and process\ncommercial goods and conveyances entering the United States territory, for the purpose of collecting\nimport duties, fees, and taxes owed to the Federal government. ACS collects duties at ports, collaborates\nwith financial institutions to process duty and tax payments, provides automated duty filing for trade\nclients, and shares information with the Federal Trade Commission on trade violations and illegal\nimports. The ACS system was included in full scope in the FY 2012 financial statement audit. The ACS\nsystem is located in VA.\n\nNational Data Center \xe2\x80\x93 DC Metro Local Area Network (DC Metro LAN)\n\nThe DC Metro LAN provides more than 10,000 CBP contractors and employee user\xe2\x80\x99s access to\nenterprise-wide applications and systems. The mission of the DC Metro LAN is to the support the\nmission of CBP operational elements in the DC Metro LAN region of the organization. These tools\ninclude personal computers, laptop computers, printers and file/print servers which enable CBP officers\nand agents to interact with all other applications and systems in the CBP environment. There are 21\nmajor applications supported by the DC Metro LAN, including ACE and ACS. As the DC Metro LAN\nincluded the environment where the ACE, ACS, and SAP applications physically reside, the DC Metro\nLAN was included in the FY 2012 financial statement audit. The DC Metro LAN is located in VA.\n\nSystems, Applications, and Products, Enterprise Central Component (SAP ECC)\n\nSAP is a client/server-based financial management system and includes the Funds Management, Budget\nControl System, General Ledger, Real Estate, Property, Internal Orders, Sales and Distribution, Special\nPurpose Ledger, and Accounts Payable modules. These modules are used by CBP to manage assets (e.g.,\nbudget, logistics, procurement, and related policy), revenue (e.g., accounting and commercial operations:\ntrade, tariff, and law enforcement), and to provide information for strategic decision making. The SAP\nECC financial management system was included in full scope in the FY 2012 financial statement audit.\nThe SAP ECC system is located in VA.\n\nFederal Law Enforcement and Training Center (FLETC)\n\nFinancial Accounting and Budgeting System (FABS)\n\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the\ncomputerized accounting and budgeting system for FLETC. FLETC provides financial management\nservices to I&A/Ops and hosts a separate Momentum environment, which was developed to mirror the\nFLETC Momentum environment. The FABS system exists to provide all of the financial and budgeting\ntransactions in which FLETC is involved. An application called \xe2\x80\x9cTuxedo,\xe2\x80\x9d also resides on a separate\nserver. The Tuxedo middleware holds 67 executable files. These files are scripts that process daily\ninformation and are not directly accessible by users. The FABS application and servers reside on the\nFLETC Local Area Network in a Hybrid physical network topology and are accessible from four sites:\nGeorgia (GA), Washington DC, New Mexico, and Maryland.\n\nGlynco Administrative Network\n\nThe purpose of the Glynco Administrative Network (GAN) is to provide access to IT network\napplications and services to include voice to authorized FLETC personnel, contractors and partner\norganizations located at the Georgia facility. It provides authorized users access to email, internet\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                            Page 9\n\n\x0c                                                                                              Appendix A\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\nservices, required applications such as Financial Management Systems, Procurement systems, Property\nmanagement systems, Video conference, and other network services and shared resources. The GAN is\nlocated in GA.\n\nFederal Emergency Management Agency (FEMA)\n\nIntegrated Financial Management Information System \xe2\x80\x93 Merger (IFMIS-Merger)\n\nIFMIS-Merger is the official accounting system of FEMA and maintains all financial data for internal and\nexternal reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost Posting,\nDisbursements, Accounts Receivable, and General Ledger. The application is a commercial off-the-shelf\nsoftware package developed and maintained by Digital Systems Group Incorporated. IFMIS-Merger\ninterfaces with PARS, ProTrac, Smartlink (Department of Health and Human Services [HHS]), Treasury\nInformation Executive Repository (Department of the Treasury), Secure Payment System (Department of\nthe Treasury), Grants Management System (Department of Justice), United States Coast Guard Credit\nCard System, Credit Card Transaction Management System (CCTMS), Fire Grants, eGrants, Enterprise\nData Warehouse and Payroll (Department of Agriculture National Finance Center). The IFMIS-Merger\nproduction environment is located in Virginia.\n\nPayment and Reporting System (PARS)\n\nPARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger UNIX\nserver and is incorporated within the Certification & Accreditation (C&A) boundary for that system.\nThrough its web interface, PARS collects Standard Form 425 information from grantees and stores the\ninformation in its Oracle 9i database. Automated scheduled jobs are run daily to update and interface\ngrant and obligation information between PARS and IFMIS-Merger. All payments to grantees are made\nthrough IFMIS-Merger. PARS is located in Virginia.\n\nNon-Disaster Grant Management System (NDGrants)\n\nNDGrants is a web-based system that supports the grants management lifecycle and is used by external\nstakeholders and grantees, via a public Web site, to apply for grants and monitor the progress of grant\napplications, submit payments, and view related reports, and by the FEMA Program Support Division, via\nan internal Web site, for reviewing, approving, and processing grant awards. NDGrants interfaces with\ntwo other systems: FEMA\xe2\x80\x99s internal Integrated Security and Access Control System (ISAAC), used for\nuser credentialing and role-based access, and the HHS Grants.gov system, used for publishing grant\nsolicitations and downloading applications. NDGrants is located in Virginia.\n\nEmergency Support (ES)\n\nES is an internal FEMA application for pre-processing disaster-related financial transactions, including\nallocation, commitment, obligation, mission assignment and payment requests from other internal and\nexternal systems. ES serves as the primary interface to IFMIS. It also allows FEMA users to process\ndisaster housing payments, perform payment recoupment, and conduct other administrative tasks.\nIn addition to IFMIS, ES has interfaces to several other FEMA systems, including:\n        ISAAC (organizational and personnel data and team setup);\n        Emergency Coordination (incident and disaster declarations);\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 10\n\n\x0c                                                                                              Appendix A\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\n        Enterprise Coordination and Approvals Processing System (commitment and mission assignment\n        [obligation] requests);\n        Hazard Mitigation Grants Program (allocation and obligation requests);\n        Individual Assistance (payment and recoupment requests);\n        Public Assistance (PA) (obligation and allocation requests);\n        Automated Deployment Database (personnel data);\n        Assistance to Firefighters Grants (obligation, invoice and vendor requests);\n        Emergency Management Mission Integrated Environment (EMMIE) (obligation requests);\n        Mitigation Electronic Grants Management System (obligation requests); and\n        CCTMS (expenditure requests).\nNDGrants is located in Virginia.\n\nEmergency Management Mission Integrated Environment (EMMIE)\n\nEMMIE is an internal Web-based grants management solution used by FEMA program offices and user\ncommunities directly involved in the grant lifecycle associated with the PA Grant Program and the Fire\nManagement Assistance Grant Program. It is also designed to interface with other government entities\nand grant and sub-grant applicants (e.g., states and localities). EMMIE provides functionality for public\nentities and private-non-profit entities to create and submit grant applications and for FEMA users to\nreview and award applications, generate and review relevant mission critical reports, process\namendments, and conduct close-out activities.\nInterfaces exist between the EMMIE system and IFMIS. EMMIE is located in Virginia.\n\nTraverse\n\nTraverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent to\ngenerate the NFIP financial statements. Traverse is a client-server application that runs on the NFIP LAN\nWindows server environment located in Maryland. The Traverse client is installed on the desktop\ncomputers of the NFIP Bureau of Financial Statistical Control group members and interfaces with a\nMicrosoft Structured Query Language database hosted on an internal segment of the NFIP LAN.\nTraverse has no known external system interfaces.\n\nTransaction Recording and Reporting Processing (TRRP)\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO)\ncompanies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the WYO program,\nprimarily by ensuring the quality of financial data submitted by the WYO companies and DSA to TRRP.\nTRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Connecticut.\nTRRP has no known system interfaces.\n\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 11\n\n\x0c                                                                                              Appendix A\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2012\n\nImmigration and Customs Enforcement (ICE)\n\nFederal Financial Management System (FFMS)\n\nThe FFMS is a Chief Financial Officer designated financial system and certified software application that\nconforms to OMB Circular A-127 and implements the use of a Standard General Ledger for the\naccounting of agency financial transactions. It is used to create and maintain a record of each allocation,\ncommitment, obligation, travel advance and accounts receivable issued. It is the system of record for the\nagency and supports all internal and external reporting requirements. FFMS is a commercial off-the-shelf\nfinancial reporting system. It includes the core system used by accountants, FFMS Desktop that is used\nby average users, and a National Finance Center payroll interface. The FFMS mainframe component and\n14 servers are hosted at the DHS DC2 facility located in Virginia. FFMS currently interfaces with\nTreasury, BMIS Web, and FedTraveler.\n\nICE Network\n\nThe ICE Network, also known as the ADEX E-mail System, is a major application for ICE. The ADEX\nservers and infrastructure for the headquarters and National Capital Area are located in Mississippi and\nVirginia. ADEX currently interfaces with the Diplomatic Telecommunications Service Program Office\nICENet Infrastructure.\n\nOffice of Financial Management (OFM)/Consolidated Component\n\nDHS Treasury Information Executive Repository (DHSTIER)\n\nDHSTIER is the system of record for the DHS consolidated financial statements and is used to track,\nprocess, and perform validation and edit checks against monthly financial data uploaded from each of the\nDHS bureaus\xe2\x80\x99 core financial management systems. DHSTIER is administered jointly by the OCFO\nResource Management Transformation Office (RMTO) and the OCFO Office of Financial Management\n(OFM) and is hosted on the DHS OneNet at the Stennis Data Center in Mississippi (MS).\n\nTransportation Security Administration (TSA)\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor the United States Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in Virginia (VA) and is\nmanaged by the United States Coast Guard. The FINCEN is the Coast Guard\xe2\x80\x99s primary financial system\ndata center. CAS interfaces with other systems located at the FINCEN, including Financial and\nProcurement Desktop.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the\nCAS system and is hosted at the FINCEN in VA and is and managed by the Coast Guard.\n\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 12\n\n\x0c                                                                                            Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nSunflower\n\nSunflower is a customized third-party commercial off-the-shelf product used for TSA and Federal Air\nMarshal Service property management. Sunflower interacts directly with the Office of Finance Fixed\nAssets module in CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the\nFINCEN in VA and is managed by the Coast Guard.\n\nMarkView\n\nMarkView is imaging and workflow software used to manage invoices in CAS. Each invoice is stored\nelectronically and associated to a business transaction so that users are able to see the image of the\ninvoice. MarkView is interconnected with the CAS system and is located at the FINCEN in VA and is\nmanaged by the Coast Guard.\n\nElectronic Time Attendance and Scheduling (eTAS)\n\neTAS is an automated and standardized labor management solution. The system provides an automated\nmeans to schedule employee work and leave hours, record hours worked / not worked, and provide bi-\nweekly time records to TSA\xe2\x80\x99s payroll provider, the National Finance Center. The system automates the\nworkforce management process to reduce the amount of time, effort, and associated cost required for\nentry of data.\n\nUnited States Citizenship and Immigration Services (USCIS)\n\nCLAIMS 3 Local Area Network (LAN)\n\nCLAIMS 3 LAN provides USCIS with a decentralized, geographically dispersed LAN based mission\nsupport case management system, with participation in the centralized CLAIMS 3 mainframe data\nrepository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I and II, Immigration Act\nof 1990 (IMMACT 90) and USCIS forms improvement projects. The CLAIMS 3 LAN is located at the\nfollowing service centers and district offices: Nebraska, California, Texas, Vermont, Baltimore District\nOffice, National Business Center, and Administrative Appeals Office. CLAIMS 3 LAN interfaces with\nthe following systems:\n   Citizenship and Immigration Services Centralized Oracle Repository\n   CLAIMS 3 Mainframe\n   Integrated Card Production System\n   CLAIMS 4\n\n   E-filing\n   Benefits Biometric Support System\n   Refugee, Asylum, and Parole System\n   National File Tracking System\n   Integrated Card Production System\n   Customer Relationship Interface System\n   USCIS Enterprise Service Bus\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 13\n\n\x0c                                                                                             Appendix A\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2012\n\nCLAIMS 4\n\nThe purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a client/server\napplication. The central Oracle Database is located in Washington, DC while application servers and\nclient components are located throughout USCIS service centers and district offices. CLAIMS 4\ninterfaces with the following systems:\n   Central Index System (CIS)\n   Reengineered Naturalization Automated Casework System\n   CLAIMS 3 LAN and Mainframe\n   Refugee, Asylum, and Parole System\n   Enterprise Performance Analysis System\n   National File Tracking System\n   Asylum Pre-Screening System\n   USCIS Enterprise Service Bus\n   Biometrics Benefits Support System\n   Enterprise Citizenship and Immigration Service Centralized Operational Repository\n   Customer Relationship Interface System\n   FD 258 Enterprise Edition and Mainframe\n   Site Profile System\n\nFederal Financial Management System (FFMS)\n\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a commercial off-the-shelf financial\nreporting system. It includes the core system used by accountants, FFMS Desktop that is used by average\nusers, and a National Finance Center payroll interface. The FFMS mainframe component and 14 servers\nare hosted at the DHS DC2 facility located in Virginia. FFMS currently interfaces with Treasury, BMIS\nWeb, and FedTraveler.\n\nCIS1 Network\n\nThe USCIS network, also known as CIS1, is the Active Directory Domain Services Platform used within\nthe USCIS that contains all of USCIS\xe2\x80\x99s Active Directory and Exchange resources. CIS1 is a part of the\nEnterprise Infrastructure Services accreditation boundary and all Active Directory information, including\nthe Active Directory database itself, is hosted on specified servers called Domain Controllers. These 52\nActive Directory Domain Controllers are located throughout the country, with the majority of them being\nlocated in Virginia and Nebraska.\n\n\n\n\n                       Information Technology Management Letter for the \n\n               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                           Page 14\n\n\x0c                                                                           Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2012\n\n\n\n\n                              Appendix B\n\nFY 2012 Notices of IT Findings and Recommendations at DHS\n\n\n\n\n\n              Information Technology Management Letter for the \n\n      FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                  Page 15\n\n\x0c                                                                                                                                     Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n\n                                                  United States Coast Guard\n                                                                                                                             New        Repeat\nFY 2012 NFR #                                        NFR Title                                     FISCAM Control Area\n                                                                                                                             Issue       Issue\n CG-IT-12-01    Lack of Consistent Contractor, Civilian, and Military Account Termination             Access Controls                     X\n                Notification Process\n CG-IT-12-02    Civilian Background Investigations                                                  Security Management                   X\n CG-IT-12-03    Contractor Background Investigations                                                Security Management                   X\n CG-IT-12-04    Inappropriate Access to JUMPS SMF Audit Logs                                          Access Controls         X\n CG-IT-12-05    Direct Access & Direct Access II Audit Logging                                        Access Controls                     X\n CG-IT-12-06    OSC Data Center Visitor Access Logs                                                   Access Controls                     X\n CG-IT-12-07    Physical Configuration Audits of NESSS System Changes                             Configuration Management    X\n CG-IT-12-08    Direct Access and Direct Access II PeopleSoft System Administrator and Security       Access Controls         X\n                Administrator Accounts\n CG-IT-12-09    Security Awareness Issues Identified During Social Engineering Testing at             Access Controls                     X\n                Surface Forces Logistics Center\n CG-IT-12-10    Security Awareness Issues Associated with Physical Protection of Sensitive            Access Controls                     X\n                Information\n CG-IT-12-11    Weaknesses related to IA Professionals\xe2\x80\x99 Required Certifications                     Security Management                   X\n CG-IT-12-12    Naval & Electronics Supply System User Access                                         Access Controls                     X\n CG-IT-12-13    AMMIS Software Change Requests Process                                            Configuration Management                X\n CG-IT-12-14    Configuration Management Controls over the Scripting Process                      Configuration Management                X\n CG-IT-12-15    Direct Access User Account Recertification                                            Access Controls                     X\n CG-IT-12-16    Access and Configuration Management Controls \xe2\x80\x93 Vulnerability Assessment           Configuration Management                X\n CG-IT-12-17    IATONIS Audit Log Review                                                              Access Controls         X\n CG-IT-12-18    IATONIS Separation of Duties                                                        Segregation of Duties     X\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 16\n\n\x0c                                                                                                                               Appendix B\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2012\n\n                                                                                                                       New        Repeat\nFY 2012 NFR #                                      NFR Title                                 FISCAM Control Area\n                                                                                                                       Issue       Issue\n CG-IT-12-19    Functional Configuration Audits of IATONIS System Changes                   Configuration Management    X\n CG-IT-12-21    NESSS User Recertification                                                      Access Controls                     X\n CG-IT-12-22    IATONIS Account Recertification                                                 Access Controls         X\n\n\n                                              Customs and Border Protection\n\n                                                                                                                       New        Repeat\nFY 2012 NFR #                                      NFR Title                                 FISCAM Control Area\n                                                                                                                       Issue       Issue\nCBP-IT-12-01    Physical Security Issues Identified During Enhanced Security Testing            Access Controls                     X\nCBP-IT-12-02    Inadequate Role-Based Security Training Program                               Security Management                   X\nCBP-IT-12-03    Segregation of Duties Control Weaknesses within CBP System                      Access Controls                     X\nCBP-IT-12-04    CBP System User Profile Change Logs are not Reviewed                            Access Controls                     X\nCBP-IT-12-05    CBP System User Profile Change Logs are not Reviewed                            Access Controls                     X\nCBP-IT-12-06    Weaknesses in Creating New CBP System Accounts                                  Access Controls                     X\nCBP-IT-12-07    CBP System Audit Logs not Appropriately Reviewed                                Access Controls                     X\nCBP-IT-12-08    Incomplete Background Re-Investigations for CBP Employees and Contractors     Security Management                   X\nCBP-IT-12-09    Contractor NDAs are Incomplete                                                Security Management                   X\nCBP-IT-12-10    Lack of Annual Recertification for CBP System Application Users                 Access Controls         X\nCBP-IT-12-11    Incomplete Documentation of ISAs for CBP System Connections                     Access Controls         X\nCBP-IT-12-12    Inadequate Documentation for CBP System Application Software Changes        Configuration Management    X\n                CBP System DB2 Database Patches are not Documented and Implemented\nCBP-IT-12-13                                                                                Configuration Management    X\n                Appropriately\nCBP-IT-12-14    CBP System AIX Operating System Patches are not Implemented Appropriately   Configuration Management    X\n\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 17\n\n\x0c                                                                                                                                    Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                            New        Repeat\nFY 2012 NFR #                                     NFR Title                                       FISCAM Control Area\n                                                                                                                            Issue       Issue\n                CBP System Production and Training Operating Systems Vulnerability Scanning\nCBP-IT-12-15                                                                                     Configuration Management                X\n                Process Weaknesses and Scan Results\nCBP-IT-12-16    Lack of Access Requests and Approvals for CBP System Accounts                        Access Controls                     X\n                Lack of Monitoring Developer Emergency/Temporary Access to CBP System\nCBP-IT-12-17                                                                                         Access Controls                     X\n                Production\nCBP-IT-12-18    Lack of Annual Recertification for CBP System Privileged Users                       Access Controls         X\nCBP-IT-12-19    Incomplete Documentation of ISAs for CBP System Connections                          Access Controls                     X\nCBP-IT-12-20    Inadequate Documentation for CBP System Application Software Changes             Configuration Management    X\n                CBP System LPARs and Linux z/OS Vulnerability Scanning Process Weaknesses\nCBP-IT-12-21                                                                                     Configuration Management    X\n                and Scan Results\nCBP-IT-12-22    CBP System Raised Floor Access Weaknesses                                            Access Controls         X\nCBP-IT-12-23    Lack of Functionality in the CBP System                                            Application Controls                  X\nCBP-IT-12-24    Inadequate Documentation of CBP System Access Requests                               Access Controls                     X\n                Incomplete Access Request Approval Forms for New Remote Access User\nCBP-IT-12-25                                                                                         Access Controls                     X\n                Account\n                CBP System Security Authorization Documentation is Not Documented,\nCBP-IT-12-26                                                                                         Access Controls         X\n                Approved, and Kept Up-To Date.\nCBP-IT-12-27    Separated Personnel on CBP System User Listing                                       Access Controls         X\n                Lack of Annual Recertification for CBP System Application, Oracle Database and\nCBP-IT-12-28                                                                                         Access Controls         X\n                Operating System Account Recertifications\nCBP-IT-12-29    CBP System Audit Logs are not Appropriately Reviewed                                 Access Controls         X\nCBP-IT-12-30    CBP System Technical Vulnerability Weaknesses                                    Configuration Management    X\nCBP-IT-12-31    Lack of Complete Review of CBP System Profile Changes                                Access Controls         X\nCBP-IT-12-32    CBP System Vulnerability Scanning Process Weaknesses and Scan Results            Configuration Management    X\n\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 18\n\n\x0c                                                                                                                                 Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                         New        Repeat\nFY 2012 NFR #                                     NFR Title                                    FISCAM Control Area\n                                                                                                                         Issue       Issue\n                CBP System Configuration Setting for Disabling Inactive Accounts is not\nCBP-IT-12-33                                                                                      Access Controls         X\n                Configured Appropriately\nCBP-IT-12-34    Incomplete Documentation of ISAs for CBP System Connections                       Access Controls         X\n                CBP System Oracle Database and Unix Operating Systems Patches are not\nCBP-IT-12-36                                                                                  Configuration Management    X\n                Documented and Implemented Appropriately\nCBP-IT-12-38    Employee Separation Process Weaknesses                                          Security Management                   X\nCBP-IT-12-39    Contractor Separation Process Weaknesses                                        Security Management                   X\nCBP-IT-12-40    CBP System Segregation of Duties Weaknesses over the Production Environment   Configuration Management                X\n                CBP System Security Authorization Documentation is Not Documented,\nCBP-IT-12-41                                                                                      Access Controls         X\n                Approved, and Kept Up-To Date.\n                CBP System Security Authorization Documentation is Not Documented,\nCBP-IT-12-42                                                                                      Access Controls         X\n                Approved, and Kept Up-To Date.\n                CBP System Security Authorization Documentation is Not Documented,\nCBP-IT-12-43                                                                                      Access Controls         X\n                Approved, and Kept Up-To Date.\n                CBP System Program Library Access not Documented and Approved\nCBP-IT-12-45                                                                                  Configuration Management    X\n                Appropriately.\nCBP-IT-12-46    Separated Personnel on CBP System User Listing                                    Access Controls         X\nCBP-IT-12-47    Separated Personnel on CBP System User Listing                                    Access Controls                     X\n                Separated Personnel on CBP System Application and Operating System User\nCBP-IT-12-48                                                                                      Access Controls                     X\n                Listing\nCBP-IT-12-49    CBP System Audit Log Review Weaknesses                                            Access Controls         X\n\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 19\n\n\x0c                                                                                                                                  Appendix B\n                                                     Department of Homeland Security\n                                                 Information Technology Management Letter\n                                                            September 30, 2012\n\n                                      Federal Emergency Management Agency\n                                                                                                                          New        Repeat\nFY 2012 NFR #                                      NFR Title                                    FISCAM Control Area\n                                                                                                                          Issue       Issue\nFEMA-IT-12-01   Security Awareness Issues Identified during After-Hours Physical Security        Security Management                   X\n                Testing at FEMA\nFEMA-IT-12-02   All Required Auditable Events Not Included in Traverse Audit Logs                  Access Controls                     X\nFEMA-IT-12-03   Inadequate Retention of NFIP LAN Audit Logs                                        Access Controls                     X\nFEMA-IT-12-04   Inadequate Documentation Supporting IFMIS-Merger User Functions                    Access Controls                     X\nFEMA-IT-12-05   Incomplete Recertification of Traverse Application User Privileges                 Access Controls         X\nFEMA-IT-12-06   Weaknesses Identified during the Vulnerability Assessment on IFMIS                Access Controls and                  X\n                                                                                               Configuration Management\nFEMA-IT-12-07   Weaknesses Identified during the Vulnerability Assessment on the NFIP LAN         Access Controls and      X\n                                                                                               Configuration Management\nFEMA-IT-12-08   Weaknesses Identified during the Vulnerability Assessment on Financially          Access Controls and      X\n                Significant Segments of the FEN and End-User Computing Environment             Configuration Management\nFEMA-IT-12-09   Weaknesses Identified during the Vulnerability Assessment on EMMIE                Access Controls and      X\n                                                                                               Configuration Management\nFEMA-IT-12-10   Weaknesses Identified during the Vulnerability Assessment on NDGrants             Access Controls and      X\n                                                                                               Configuration Management\nFEMA-IT-12-11   Inconsistent Authorization of New and Modified IFMIS-Merger Application User       Access Controls         X\n                Access\nFEMA-IT-12-12   Untimely Removal of FEN Access Privileges for Separated FEMA Employees             Access Controls                     X\nFEMA-IT-12-13   Incomplete Implementation of Role-Based Training for Individuals with            Security Management                   X\n                Significant Information Security Responsibilities\nFEMA-IT-12-14   Incomplete POA&Ms for Internal NFIP LAN Vulnerability Assessments              Configuration Management    X\nFEMA-IT-12-15   Weaknesses in the Management of POA&Ms for Audit Findings over FEMA              Security Management                   X\n                Financial Systems\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 20\n\n\x0c                                                                                                                                  Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                          New        Repeat\nFY 2012 NFR #                                     NFR Title                                     FISCAM Control Area\n                                                                                                                          Issue       Issue\nFEMA-IT-12-16   Inconsistent Review of Audit Logs of IFMIS-Merger System Software                  Access Controls         X\n                Administrator Activity\nFEMA-IT-12-17   Lack of Adequate Configuration Management over Network Devices Supporting      Configuration Management                X\n                Financial Systems\nFEMA-IT-12-18   Non-Compliance with DHS Policy for Approval of Shared Accounts on the FEN          Access Controls         X\nFEMA-IT-12-19   Non-Compliance with DHS Policy for Approval of Remote Access to the FEN            Access Controls         X\nFEMA-IT-12-20   Lack of ISA between FEMA and Department of Justice                                 Access Controls         X\nFEMA-IT-12-21   Inadequate Security Authorization Documentation for the FEN                      Security Management                   X\nFEMA-IT-12-22   Lack of CMP Documentation for ES                                               Configuration Management    X\nFEMA-IT-12-23   Lack of Testing Traverse Application Changes Prior to Implementation           Configuration Management                X\nFEMA-IT-12-24   Inconsistent Documentation of TRRP Configuration Changes                       Configuration Management                X\nFEMA-IT-12-25   Inconsistent Review of PARS Database Audit Logs                                    Access Controls         X\nFEMA-IT-12-26   Lack of BIA Supporting the NDGrants CP                                           Contingency Planning      X\nFEMA-IT-12-27   Lack of Alternate Processing Site and Sufficient CP Testing for NDGrants         Contingency Planning      X\nFEMA-IT-12-28   Inconsistent Implementation of DHS Background Investigation Requirements for     Security Management                   X\n                FEMA Federal Employees and Contractors\nFEMA-IT-12-29   Non-Compliance with DHS Policies for IFMIS-Merger Security Authorization         Security Management       X\n                Documentation\nFEMA-IT-12-30   Lack of Adequate IFMIS-Merger CP and Plan Test Documentation                     Contingency Planning      X\nFEMA-IT-12-31   Approval of Elevated Privileges Was Not Consistent with DHS Policy                 Access Controls         X\nFEMA-IT-12-32   Lack of EMMIE System Owner Approval for Database Accounts                          Access Controls         X\nFEMA-IT-12-33   Incomplete Access Procedures for Operations Branch Database Accounts               Access Controls         X\nFEMA-IT-12-34   Lack of ES System Owner Approval for Database Accounts                             Access Controls         X\nFEMA-IT-12-35   Lack of NDGrants System Owner Approval for Database Accounts                       Access Controls         X\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 21\n\n\x0c                                                                                                                                    Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                            New        Repeat\nFY 2012 NFR #                                     NFR Title                                       FISCAM Control Area\n                                                                                                                            Issue       Issue\nFEMA-IT-12-36   Inconsistent Review of IFMIS-Merger Application and Database Audit Logs              Access Controls                     X\nFEMA-IT-12-37   Insufficient Development and Update of the EMMIE CP                                Contingency Planning      X\nFEMA-IT-12-38   Non-Compliance with Alternate Processing Site Requirements for EMMIE               Contingency Planning      X\nFEMA-IT-12-39   Insufficient Review and Approval of the ES CP                                      Contingency Planning      X\nFEMA-IT-12-40   Non-Compliance with Alternate Processing Site Requirements for ES                  Contingency Planning      X\nFEMA-IT-12-41   Incomplete POA&Ms for EMMIE SAR Weaknesses                                         Security Management       X\nFEMA-IT-12-42   Non-Compliant Security Authorization Package for NDGrants                          Security Management       X\nFEMA-IT-12-43   Non-Compliant Security Authorization Package for ES                                Security Management       X\nFEMA-IT-12-44   Incomplete Account Management Procedures for the EMMIE Application                   Access Controls         X\nFEMA-IT-12-45   Incomplete Account Management Procedures for NDGrants                                Access Controls         X\nFEMA-IT-12-46   Incomplete Account Management Procedures for ES                                      Access Controls         X\nFEMA-IT-12-47   Non-Compliance with DHS and FEMA Password Requirements for Oracle                    Access Controls         X\n                Databases Supporting Financial Applications\nFEMA-IT-12-48   Incomplete Waiver Request for Password Controls on Oracle Databases                  Access Controls         X\n                Supporting Financial Applications\nFEMA-IT-12-49   Inconsistent Authorization of Temporary Access to IFMIS-Merger System               Access Controls and                  X\n                Software                                                                         Configuration Management\nFEMA-IT-12-50   Inadequate Monitoring of Configuration Changes Deployed to the IFMIS-Merger      Configuration Management                X\n                Production Environment\nFEMA-IT-12-51   Inconsistent Activities and Incomplete Documentation Supporting Configuration    Configuration Management    X\n                Changes for the IFMIS-Merger Application\nFEMA-IT-12-52   Lack of ES Information System Security Officer Review of Monthly Vulnerability   Configuration Management    X\n                Scan Results\nFEMA-IT-12-53   Insufficient Audit Log Controls for EMMIE                                            Access Controls         X\nFEMA-IT-12-54   Insufficient Audit Log Controls for NDGrants                                         Access Controls         X\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 22\n\n\x0c                                                                                                                                 Appendix B\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2012\n\n                                                                                                                         New        Repeat\nFY 2012 NFR #                                       NFR Title                                  FISCAM Control Area\n                                                                                                                         Issue       Issue\nFEMA-IT-12-55    Insufficient Audit Log Controls for ES                                           Access Controls         X\nFEMA-IT-12-56    Incomplete Documentation Supporting EMMIE Configuration Management           Configuration Management    X\n                 Controls\nFEMA-IT-12-57    Unauthorized Shared Account Usage for EMMIE and NDGrants Production          Configuration Management    X\n                 Application Deployments\nFEMA-IT-12-58    Lack of Controls to Validate Completeness and Integrity of EMMIE and         Configuration Management    X\n                 NDGrants Application Changes Deployed to Production\nFEMA-IT-12-59    Incomplete Documentation Supporting NDGrants Configuration Management        Configuration Management    X\n                 Controls\nFEMA-IT-12-60    Incomplete Vulnerability Management Procedures                               Configuration Management    X\nFEMA-IT-12-61    Excessive or Inappropriate Access to IFMIS                                       Access Controls         X\n\n\n                                     Federal Law Enforcement Training Center\n\n                                                                                                                         New        Repeat\nFY 2012 NFR #                                       NFR Title                                  FISCAM Control Area\n                                                                                                                         Issue       Issue\nFLETC-IT-12-01         Ineffective Segregation of Duties Controls for the Momentum System       Segregation of Duties                 X\nFLETC-IT-12-02        FLETC Servers and Workstations have Inadequate Patch Management         Configuration Management    X\nMGA-IT-12-03            I&A/Ops Momentum Access Controls are not Consistently Applied             Access Controls         X\nMGA-IT-12-04     Configuration Changes for the I&A/Ops Momentum System are not Consistently   Configuration Management    X\n                                                 Documented\n\n\n\n\n                                         Information Technology Management Letter for the \n\n                                 FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                             Page 23\n\n\x0c                                                                                                                                     Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                       Immigration and Customs Enforcement\n                                                                                                                             New        Repeat\nFY 2012 NFR #                                     NFR Title                                        FISCAM Control Area\n                                                                                                                             Issue       Issue\n ICE-IT-12-01   FFMS Network and Servers were Installed with Default Configuration Settings       Configuration Management                X\n                and Protocols\n ICE-IT-12-02   FFMS Mainframe Production Databases were Installed and                            Configuration Management                X\n                Configured without Baseline Security Configurations\n ICE-IT-12-03   FFMS Servers have Inadequate Patch Management                                     Configuration Management                X\n ICE-IT-12-04   FFMS Access Recertification Reviews are Not Completed                                 Access Controls                     X\n ICE-IT-12-05   Weak FFMA Segregation of Duties                                                     Segregation of Duties                 X\n ICE-IT-12-06   Security Awareness Issues Identified During After-Hours Walkthrough                 Security Management                   X\n ICE-IT-12-07   Lack of Procedures for Transferred/Terminated Personnel Exit Processing               Access Controls                     X\n ICE-IT-12-08   ICE Servers and Workstation have Inadequate Patch Management                          Access Controls                     X\n ICE-IT-12-09   ICE Servers and Workstations were Installed with Default Configuration Settings   Configuration Management    X\n                and Protocols\n ICE-IT-12-10   Lack of Recertification for ADEX Users                                                 Access Control         X\n ICE-IT-12-11   Inadequate FFMS User Access Request Forms                                              Access Control         X\n\n\n                                 National Protection and Programs Directorate\n\n                                                                                                                             New        Repeat\nFY 2012 NFR #                                     NFR Title                                        FISCAM Control Area\n                                                                                                                             Issue       Issue\nNPPD-IT-12-01   Security Awareness Issues Identified During After-Hours Walkthrough                 Security Management       X\nNPPD-IT-12-02   Security Awareness Issues were identified during Social Engineering                 Security Management       X\n\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 24\n\n\x0c                                                                                                                                       Appendix B\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2012\n\n                Office of Financial Management / Office of Chief Information Officer\n                                                                                                                               New        Repeat\nFY 2012 NFR #                                        NFR Title                                       FISCAM Control Area\n                                                                                                                               Issue       Issue\nCONS-IT-12-01   Network Logical Access Parameters are not Configured in Accordance with DHS             Access Controls                     X\n                Policy\nCONS-IT-12-02   TIER Configuration Management procedures not consistently executed                  Configuration Management    X\nCONS-IT-12-03   Security Awareness Issues Identified During After-Hours Walkthrough                   Security Management                   X\nOCIO-IT-12-01   DHS has not Fully Implemented the Federal Desktop Core Configuration (FDCC)           Security Management                   X\n                Security Configurations Requirements\nOCIO-IT-12-02   DHS Physical Controls could be Strengthened                                             Access Controls                     X\nOCIO-IT-12-03   DHS Infrastructure Configuration Management procedures not adequately defined       Configuration Management    X\nOCIO-IT-12-04   Ineffective safeguards over physical access to sensitive facilities and resources       Access Controls         X\n\n\n                                        Transportation Security Administration\n\n                                                                                                                               New        Repeat\nFY 2012 NFR #                                        NFR Title                                       FISCAM Control Area\n                                                                                                                               Issue       Issue\nTSA-IT-12-01    Physical Security and Security Awareness Issues identified during enhanced              Access Controls                     X\n                security testing\nTSA-IT-12-02    Computer Access Agreements                                                              Access Controls                     X\nTSA-IT-12-03    eTAS User Account Recertification                                                       Access Controls         X\nTSA-IT-12-04    eTAS User Passwords                                                                     Access Controls         X\nTSA-IT-12-05    eTAS Restoration Testing of Media Backups                                             Contingency Planning      X\nTSA-IT-12-06    eTAS Audit Logs                                                                         Access Controls         X\nTSA-IT-12-07    eTAS System User Access                                                                 Access Controls         X\nTSA-IT-12-08    Configuration Management Controls Over the Coast Guard Scripting Process            Configuration Management                X\n\n\n                                         Information Technology Management Letter for the \n\n                                 FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                             Page 25\n\n\x0c                                                                                                                              Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                      New        Repeat\nFY 2012 NFR #                                     NFR Title                                 FISCAM Control Area\n                                                                                                                      Issue       Issue\nTSA-IT-12-09    eTAS Pre-Implementation Deficiencies                                         Security Management       X\n\n\n                             United States Citizenship and Immigration Services\n\n                                                                                                                      New        Repeat\nFY 2012 NFR #                                     NFR Title                                 FISCAM Control Area\n                                                                                                                      Issue       Issue\n CIS-IT-12-01   Policies and Procedures for CLAIMS 3 LAN and CLAIMS 4                          Access Controls                     X\n                Audit Logs\n CIS-IT-12-02   Inadequate Access Request Forms for CLAIMS 4 System Users                      Access Controls                     X\n CIS-IT-12-03   Weak Logical Access Controls exist over CLAIMS 4                               Access Controls                     X\n CIS-IT-12-04   Security Awareness Issues Identified during After-Hours Walkthrough          Security Management       X\n CIS-IT-12-05   Lack of Segregation of Duties for CLAIMS 3 LAN                                 Access Controls                     X\n CIS-IT-12-06   Periodic User Access Reviews are not Performed for CLAIMS 3 LAN Users          Access Controls                     X\n CIS-IT-12-07   FFMS Vulnerability Weaknesses Impact USCIS Operations                      Configuration Management                X\n CIS-IT-12-08   Security Awareness Issues were Identified during Social Engineering          Security Management       X\n CIS-IT-12-09   Procedures for Transferred/Terminated Personnel Exit Processing are not        Access Controls                     X\n                Finalized\n CIS-IT-12-10   Lack of Policies and Procedures for Separated CLAIMS 3 LAN Accounts            Access Controls                     X\n CIS-IT-12-11   Equipment and Media Policies and Procedures are not Current                    Access Controls                     X\n CIS-IT-12-12   Lack of Computer Security Awareness Training Compliance                      Security Management                   X\n CIS-IT-12-13   Lack Role-Based Training for Key Security Personnel                          Security Management                   X\n CIS-IT-12-14   Lack of ATO for CLAIMS 3 LAN                                                 Security Management       X\n CIS-IT-12-15   Lack of ATO for CLAIMS 4                                                     Security Management       X\n CIS-IT-12-16   Lack of Segregation of Duties Controls Exist over CIS 1                      Segregation of Duties     X\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 26\n\n\x0c                                                                                                                         Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                 New        Repeat\nFY 2012 NFR #                                     NFR Title                                FISCAM Control Area\n                                                                                                                 Issue       Issue\n CIS-IT-12-17   Visitor Access Controls are Inadequate at the VSC                             Access Controls     X\n CIS-IT-12-18   Inadequate CIS1 Access Request Forms for Temporary Users                      Access Controls     X\n CIS-IT-12-19   Incomplete Recertification for CIS 1 Network Administrators                   Access Controls     X\n\n\n\n\n                                        Information Technology Management Letter for the \n\n                                FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                            Page 27\n\n\x0c                                                                              Appendix C\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2012\n\n\n\n\n                                 Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                     Recommendations at DHS\n\n\n\n\n\n                 Information Technology Management Letter for the \n\n         FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                     Page 28\n\n\x0c                                                                                                                           Appendix C\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2012\n\n\n                                          Customs and Border Protection\n                                                                                                                       Disposition\n   NFR #                                                        Description\n                                                                                                                     Closed   Repeat\nCBP-IT-11-01   Security Awareness Issued Identified During Enhanced Security Testing                                   X\nCBP-IT-11-02   Physical Security Issues Identified during Enhanced Security Testing                                             X\nCBP-IT-11-03   Inadequate Role-based Security Training Program                                                                  X\nCBP-IT-11-04   Segregation of Duties Control Weaknesses within the CBP System                                                   X\nCBP-IT-11-05   CBP System User Access Profile Change Log Review Procedures Have Not Been Implemented                            X\nCBP-IT-11-07   Lack of Monitoring of Developer Emergency/Temporary Access to CBP System Production                              X\nCBP-IT-11-08   Lack of Monitoring of CBP System Novell Server Audit Logs                                               X\nCBP-IT-11-09   Lack of Update to CBP System Contingency Plan                                                           X\nCBP-IT-11-10   Lack of Update to CBP System Security Plan                                                              X\nCBP-IT-11-11   Background Investigations and Reinvestigations for CBP Employees and Contractors are not Completed               X\nCBP-IT-11-12   Contractor Separation procedures are not Updated and Contractor Separation forms are not Maintained              X\nCBP-IT-11-13   Lack of Access Requests and Approval for CBP System Accounts                                                     X\nCBP-IT-11-14   CBP System Profile Change Logs are not Reviewed                                                                  X\nCBP-IT-11-15   CBP System User Access Form Documentation is Incomplete                                                          X\nCBP-IT-11-16   CBP System Privileged User Recertification is Incomplete                                                X\nCBP-IT-11-17   Remote User Access Form Documentation is Incomplete                                                              X\nCBP-IT-11-18   CBP System Interconnection Security Agreements are Incomplete                                                    X\nCBP-IT-11-19   Contractor Non-Disclosure Agreement Weaknesses                                                                   X\nCBP-IT-11-20   Employee Separations Weaknesses                                                                                  X\nCBP-IT-11-21   CBP System Audit Log Review Weaknesses                                                                           X\n\n\n\n                                    Information Technology Management Letter for the \n\n                            FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                        Page 29\n\n\x0c                                                                                                                Appendix C\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2012\n\n                                                                                                            Disposition\n        NFR #                                                           Description\n                                                                                                          Closed   Repeat\n    CBP-IT-11-22        CBP System User Access Authorization Evidence Weakness                                       X\n    CBP-IT-11-23        CBP System Security Test & Evaluation Weakness                                      X\n    CBP-IT-11-24        CBP System Configuration Management Policies and Procedures not Finalized           X\n    CBP-IT-11-25        CBP System Account Authentication Weaknesses                                        X\n    CBP-IT-11-26        CBP System Audit Log Review Weaknesses                                              X\n    CBP-IT-11-27        Security Weaknesses Identified during Technical Vulnerability Assessment                     X\n    CBP-IT-11-28        Security Posture of CBP Workstations                                                X\n    CBP-IT-11-30        Separated Personnel on CBP System User Listings                                              X\n    CBP-IT-11-31        CBP System Functionality Issues                                                              X\n    CBP-IT-11-32        CBP System User Account Termination Weaknesses                                               X\n    CBP-IT-11-33        CBP System Security Test & Evaluation Weakness                                      X\n    CBP-IT-11-34        CBP System Security Test & Evaluation Weakness                                      X\n    CBP-IT-11-35        Evidence of Personnel Authorization to Access Backup Media Not Available            X\n    CBP-IT-11-36        CBP System Recertification Weaknesses                                               X\n    CBP-IT-11-37        CBP System Privileged User Access Management Process Weaknesses                     X\n    CBP-IT-11-38        CBP System Privileged User Segregation of Duties Weaknesses                                  X\n\nNote 1: NFRs numbers CBP-IT-11-06 and CBP-IT-11-29 were not used in the FY 2011 IT NFR sequence.\nNote 2: Specific system names were replaced with \xe2\x80\x9cCBP System\xe2\x80\x9d for security purposes.\n\n\n\n\n                                             Information Technology Management Letter for the \n\n                                     FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                                 Page 30\n\n\x0c                                                                                                                                     Appendix C\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2012\n\n                                              United States Coast Guard\n                                                                                                                                 Disposition\n  NFR #                                                        Description\n                                                                                                                               Closed   Repeat\nCG-IT-11-01   Security Awareness Issues Associated with Physical Protection of Sensitive Information                                      X\nCG-IT-11-02   Direct Access and Direct Access II User and System Administrator Account Management and Approval                   X\nCG-IT-11-03   CG-TIER resource owners\xe2\x80\x99 identification of authorized users                                                        X\nCG-IT-11-04   Weaknesses Related to IA Professionals\xe2\x80\x99 Required Certifications                                                             X\nCG-IT-11-05   Configuration Management Controls over the Scripting Process                                                                X\nCG-IT-11-06   Civilian Background Investigations                                                                                          X\nCG-IT-11-07   Contractor Background Investigations                                                                                        X\nCG-IT-11-08   Security Awareness Issues Associated with the Social Engineering Testing                                                    X\nCG-IT-11-09   OSC Data Center Visitor Access Logs                                                                                         X\nCG-IT-11-10   Direct Access and Direct Access II Audit Logging and General IT Control Validation                                          X\nCG-IT-11-11   AMMIS Software Change Requests Process                                                                                      X\nCG-IT-11-12   SAM and NESSS Audit Log Review                                                                                     X\nCG-IT-11-13   Direct Access System User Account Recertification                                                                           X\nCG-IT-11-14   NESSS Access Authorizations                                                                                                 X\n              Lack of Consistent Contractor, Civilian, and Military Account Termination Notification Process for Coast Guard\nCG-IT-11-15                                                                                                                               X\n              Systems\nCG-IT-11-16   Naval & Electronics Supply Support System Users Who Have Admin Capabilities                                        X\nCG-IT-11-17   ALMIS User Recertification                                                                                         X\nCG-IT-11-18   Non-Compliance with FFMIA \xe2\x80\x93 Information Technology                                                                 X\nCG-IT-11-19   Weaknesses Associated with the Coast Guard Security Incident Database and Ticket System                            X\nCG-IT-11-20   Access and Configuration Management Controls \xe2\x80\x93 Vulnerability Assessment                                                     X\n\n\n                                    Information Technology Management Letter for the \n\n                            FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                        Page 31\n\n\x0c                                                                                                                Appendix C\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2012\n\n                                                                                                             Disposition\n  NFR #                                                           Description\n                                                                                                          Closed    Repeat\nCG-IT-11-21    Naval and Electronics Supply Support System User Account Recertification                               X\n\n\n                           United States Citizenship and Immigration Services\n\n                                                                                                            Disposition\n  NFR #                                                           Description\n                                                                                                          Closed    Repeat\nCIS-IT-11-01   Equipment and media policies and procedures are not current                                            X\nCIS-IT-11-02   Weak password configuration controls for CLAIMS 4                                            X\nCIS-IT-11-03   Policies and procedures for CLAIMS 3 LAN and CLAIMS 4 audit logs                                       X\nCIS-IT-11-04   Policies and procedures for separated CLAIMS 3 LAN accounts                                            X\nCIS-IT-11-05   Periodic user access reviews are not performed for CLAIMS 3 LAN users                                  X\nCIS-IT-11-06   Procedures for transferred/terminated personnel exit processing are not finalized                      X\nCIS-IT-11-07   Incomplete or inadequate access request forms for CLAIMS 3 LAN and CLAIMS 4 system users               X\nCIS-IT-11-08   ICE resource server and inadequate patch management weaknesses impact USCIS operations       X\nCIS-IT-11-09   Weak password configuration controls for CLAIMS 3 LAN                                        X\nCIS-IT-11-10   Weak logical access controls exist over CLAIMS 4                                                       X\nCIS-IT-11-11   Ineffective safeguards over physical access to sensitive facilities and resources            X\nCIS-IT-11-12   VPN access request forms are not properly maintained                                         X\nCIS-IT-11-13   Lack of Segregation of Duties for CLAIMS 3 LAN                                                         X\nCIS-IT-11-14   ADEX access request forms are not properly maintained                                        X\nCIS-IT-11-15   Lack of Computer Security Awareness Training Compliance                                                X\nCIS-IT-11-16   Lack role-based training for key security personnel                                                    X\nCIS-IT-11-17   FFMS Vulnerability Weaknesses effect USCIS Operations                                                  X\n\n\n                                      Information Technology Management Letter for the \n\n                              FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                          Page 32\n\n\x0c                                                                                                                                      Appendix C\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2012\n\n                Office of Financial Management / Office of Chief Information Officer\n                                                                                                                                  Disposition\n   NFR #                                                         Description\n                                                                                                                                Closed   Repeat\nCONS-IT-11-01    Network Logical Access Parameters are not Configured in Accordance with DHS policy                                         X\nCONS-IT-11-02    Security Awareness issues identified during After-Hours Walkthrough                                                        X\n                 DHS has not Fully Implemented the Federal Desktop Core Configuration (FDCC) Security Configurations\nOCIO-IT-11-01                                                                                                                               X\n                 Requirements\nOCIO-IT-11-02    DHS physical controls could be strengthened                                                                                X\n\n\n                                     Federal Emergency Management Agency\n\n                                                                                                                                  Disposition\n   NFR #                                                         Description\n                                                                                                                                Closed   Repeat\nFEMA-IT-11-01    Alternate Processing Site for NEMIS Has Not Been Established                                                     X\n                 Weaknesses Exist in the C&A Package for the FEMA Switched Network (FSN)-2, which Includes the FEMA\nFEMA-IT-11-02                                                                                                                               X\n                 LAN\nFEMA-IT-11-03    Weaknesses Exist over the ATO and C&A Documentation for NEMIS                                                    X\n                 NEMIS CP Does Not Comprehensively Address the Requirements of DHS Policy and Has Not Been\nFEMA-IT-11-04                                                                                                                     X\n                 Adequately Tested\n                 Formalized Training Requirements for Individuals with Significant Information Security Responsibilities Have\nFEMA-IT-11-05                                                                                                                               X\n                 Not Been Fully Implemented and Role-Based Training is Not Tracked or Monitored\nFEMA-IT-11-06    Documentation Supporting IFMIS-Merger User Functions Does Not Exist                                                        X\n                 Oracle Databases Supporting Financial Applications within the Previous NEMIS Accreditation Boundary are\nFEMA-IT-11-07                                                                                                                     X\n                 Not Configured to Enforce Password Requirements\n                 Oracle Databases Supporting Financial Applications within the Previous NEMIS Accreditation Boundary Do\nFEMA-IT-11-08                                                                                                                     X\n                 Not Adequately Enforce Account Lockout Requirements\n\n\n\n                                       Information Technology Management Letter for the \n\n                               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                           Page 33\n\n\x0c                                                                                                                                Appendix C\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\n                                                                                                                            Disposition\n   NFR #                                                       Description\n                                                                                                                          Closed   Repeat\n                Operating System Audit Logging on Servers Supporting Financial Applications within the Previous NEMIS\nFEMA-IT-11-09                                                                                                               X\n                Accreditation Boundary is Not Adequate\n                Weaknesses Existed over Contingency Planning, Testing and Development of the Continuity of Operations\nFEMA-IT-11-10                                                                                                               X\n                Plan for TRRP and Traverse\nFEMA-IT-11-11   Recertification of NEMIS Access Control System Position Assignments is Incomplete                           X\n                Audit Logging on Databases Supporting Financial Applications within the Previous NEMIS Accreditation\nFEMA-IT-11-12                                                                                                               X\n                Boundary is Not Adequate\n                Weaknesses Exist over Vulnerability Management for Servers Supporting Financial Applications within the\nFEMA-IT-11-13                                                                                                               X\n                Previous NEMIS Accreditation Boundary\nFEMA-IT-11-14   NFIP Physical Access Policies and Procedures were Not Appropriately Documented and Implemented              X\nFEMA-IT-11-15   NFIP LAN and Traverse Account Security Configuration Is Not in Compliance with DHS Policy                   X\nFEMA-IT-11-16   TRRP Logical Access was Not Appropriately Authorized                                                        X\nFEMA-IT-11-17   Weaknesses Exist over Configuration and Operating Effectiveness of Traverse Audit Logs                                X\nFEMA-IT-11-18   Inadequate Monitoring of Configuration Changes Deployed to the IFMIS-Merger Production Environment                    X\n                Weaknesses Exist over Configuration Management Processes for Financial Applications within the Previous\nFEMA-IT-11-19                                                                                                               X\n                NEMIS Accreditation Boundary\nFEMA-IT-11-20   Weaknesses Exist over IFMIS-Merger Configuration Management Processes                                       X\nFEMA-IT-11-21   Weaknesses Exist over Recertification of Access to the IFMIS-Merger Application                             X\nFEMA-IT-11-22   Weaknesses Exist over TRRP Mainframe Audit Logs                                                             X\nFEMA-IT-11-23   Emergency and Temporary Access to IFMIS-Merger is Not Properly Authorized                                             X\nFEMA-IT-11-24   Weaknesses Exist over IFMIS-Merger Application and Database Audit Logging                                             X\nFEMA-IT-11-25   IFMIS\xe2\x80\x93Merger User Access was Not Managed in Accordance with Account Management Procedures                   X\nFEMA-IT-11-26   PARS Database Security Controls Are Not Appropriately Established                                           X\nFEMA-IT-11-27   NFIP LAN Audit Logging is Not Performed in Accordance with DHS and FEMA Requirements                                  X\n\n\n\n                                     Information Technology Management Letter for the \n\n                             FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                         Page 34\n\n\x0c                                                                                                                                Appendix C\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\n                                                                                                                            Disposition\n   NFR #                                                       Description\n                                                                                                                          Closed   Repeat\n                Individual User Virtual Private Network (VPN) Access Accounts are Not Appropriately Authorized or\nFEMA-IT-11-28                                                                                                               X\n                Recertified\nFEMA-IT-11-29   External Connections to the FEMA VPN Are Not Appropriately Authorized or Documented                         X\nFEMA-IT-11-30   IFMIS-Merger System Software Administrator Activity Is Not Appropriately Restricted or Monitored            X\nFEMA-IT-11-31   Weaknesses Exist over C&A Documentation for IFMIS-Merger                                                    X\nFEMA-IT-11-32   Risk Assessment Activities over NFIP IT Systems were Not Adequately Performed                               X\nFEMA-IT-11-33   Weaknesses Exist over Management and Technical Controls Associated with FEMA LAN Accounts                             X\nFEMA-IT-11-34   Employee Termination Process for Removing System Access Should Be More Proactive                            X\nFEMA-IT-11-35   Traverse Configuration Management Plan Weaknesses                                                                     X\nFEMA-IT-11-36   TRRP Configuration Management Plan Weaknesses                                                                         X\nFEMA-IT-11-37   Documentation Supporting TRRP Test Libraries Does Not Reflect Current Environment                           X\nFEMA-IT-11-38   Federal Insurance and Mitigation Administration CMP has Not Been Developed                                  X\nFEMA-IT-11-39   Weaknesses Exist over Background Investigations for Federal Employees and Contractors                                 X\nFEMA-IT-11-40   Weaknesses in the Management of POA&Ms for Audit Findings over FEMA Financial Systems                                 X\nFEMA-IT-11-41   Physical Security and Security Awareness Issues Associated with Enhanced Security Testing at FEMA                     X\nFEMA-IT-11-42   Traverse Accounts Were Not Appropriately Recertified                                                        X\nFEMA-IT-11-43   Lack of Adequate Configuration Management over Network Devices Supporting Financial Systems                           X\n                Password, Patch, and Configuration Management Weaknesses Were Identified during the Vulnerability\nFEMA-IT-11-44                                                                                                                         X\n                Assessment on IFMIS, NEMIS, and Key Support Servers\nFEMA-IT-11-45   Vulnerability Assessment Program for the NFIP LAN Supporting Traverse was Inadequate                        X\nFEMA-IT-11-46   Weaknesses Existed over the Configuration Patch Management Process for the NFIP LAN Supporting Traverse     X\n                Weaknesses Exist over the Configuration and Testing of Backups for Servers Supporting Financial\nFEMA-IT-11-47                                                                                                               X\n                Applications within the Previous NEMIS Accreditation Boundary\n\n\n\n                                      Information Technology Management Letter for the \n\n                              FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                          Page 35\n\n\x0c                                                                                                                                    Appendix C\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2012\n\n                                                                                                                                Disposition\n    NFR #                                                        Description\n                                                                                                                              Closed    Repeat\n                 Key Controls over Production Servers Supporting Applications within the Former NEMIS Accreditation\nFEMA-IT-11-48                                                                                                                   X\n                 Boundary Have Not Been Implemented\n\n\n                                   Federal Law Enforcement Training Center\n\n                                                                                                                                 Disposition\n    NFR #                                                        Description\n                                                                                                                              Closed    Repeat\nFLETC-IT-11-01   Ineffective Logical Access Controls over the GAN                                                               X\nFLETC-IT-11-02   Ineffective Segregation of Duties controls for the Momentum System                                                           X\n\n\n                                      Immigration and Customs Enforcement\n\n                                                                                                                                 Disposition\n    NFR #                                                        Description\n                                                                                                                              Closed    Repeat\n ICE-IT-11-01    ADEX Resource Servers and Workstations have Inadequate Patch Management                                                      X\n ICE-IT-11-02    Terminated/Transferred Personnel are not Removed from ADEX in a Timely Manner                                  X\n ICE-IT-11-03    Access Recertification Review is not completed for FFMS                                                                      X\n ICE-IT-11-04    Weak FFMS Segregation of Duties                                                                                              X\n ICE-IT-11-05    Security Awareness issues were identified during Social Engineering                                            X\n ICE-IT-11-06    FFMS Network and Servers were installed with Default Configuration Settings and Protocols                                    X\n ICE-IT-11-07    FFMS Mainframe Production databases were installed and configured without baseline security configurations                   X\n ICE-IT-11-08    FFMS servers have inadequate patch management                                                                                X\n ICE-IT-11-09    Default installation and configuration of Cisco routers on ICE Network                                         X\n ICE-IT-11-10    Security Awareness issues identified during After-Hours Walkthrough                                                          X\n\n\n                                       Information Technology Management Letter for the \n\n                               FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                           Page 36\n\n\x0c                                                                                                                   Appendix C\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2012\n\n                                                                                                                Disposition\n   NFR #                                                        Description\n                                                                                                             Closed    Repeat\nICE-IT-11-11   Lack of procedures for transferred/terminated personnel exit processing                                    X\n\n\n                                    Transportation Security Administration\n\n                                                                                                                Disposition\n  NFR No.                                                       Description\n                                                                                                             Closed    Repeat\nTSA-IT-11-01   Markview \xe2\x80\x93 Password Settings                                                                    X\nTSA-IT-11-02   Markview \xe2\x80\x93 Administrator Account                                                                X\nTSA-IT-11-03   Physical Security and Security Awareness Issues Identified during Enhanced Security Testing                X\nTSA-IT-11-04   TSA Computer Access Agreement Process                                                                      X\nTSA-IT-11-05   Sunflower and Markview User Account Recertifications                                            X\nTSA-IT-11-06   Configuration Management Controls Over the Coast Guard Scripting Process                                   X\n\n\n\n\n                                     Information Technology Management Letter for the \n\n                             FY 2012 Department of Homeland Security Financial Statement Audit\n\n                                                         Page 37\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'